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IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re application of: Confirmation No. : 3018 

BELANGER et ah Art Unit: 2436 

Appl. No.: 10/659,368 Examiner: Johnson, Carlton 

Filed: September 1 1 , 2003 Atty. Docket: 2222.3810000 

For: System and Method for Data Access and 
Control 

Arguments to Accompany the Pre- Appeal Brief Request for Review 

Mail Stop AF 

Commissioner for Patents 
POBox 1450 

Alexandria, VA 22313-1450 
Sir: 

Applicants hereby submit the following Arguments, in five (5) or less total pages, as attachment to the Pre- 
Appeal Brief Request for Review (Form PTO/SB/33). A Notice of Appeal is concurrently filed. 

Arguments 

Applicants' arguments in the Amendment and Reply under 37 C.F.R. § 1.111 filed in response to the Office 
Action issued April 2, 2008, were not properly considered or responded to by the Examiner in the final Office 
Action issued October 22, 2008, ("Office Action"). Also Applicants' arguments in the Amendment and Reply 
under 37 C.F.R. § 1.116 filed in response to the final Office Action, were not properly considered or responded to 
by the Examiner in the Advisory Action issued January 13, 2009, ("Advisory Action"). In particular, the 
Examiners' response was legally and factually deficient because the Examiner failed to adequately show where the 
cited references teach or suggest "submitting, by the controller, a request for authorization to a resolution authority, 
which is configured to modify the one or more access requirements, in response to a comparison that indicates that 
access by the access candidate is prohibited," as recited by independent claim 1, "submitting a request for 
authorization to a resolution authority, which is configured to modify one or more access requirements associated 
with the second security level, in response to a comparison of one or more attributes of the access candidate with the 
one or more access requirements associated with the second security level that indicates that access to the second 
security level by the access candidate is prohibited," as recited by independent claim 7, "submitting a request for 
authorization to a resolution authority, which is configured to modify access requirements associated with the at 
least one data class, in response to a comparison of the citizenship status and the current location of the access 
candidate with the respective citizenship requirement and location requirement of the at least one data class of the 
requested data subset that indicates that access to a requested data subset at the second level by the access candidate 
is prohibited," as recited by independent claim 15, "means for submitting a request for authorization to a resolution 
authority, which is configured to modify the one or more access requirements, if the second comparison indicates 
that access to the electronic data by the access candidate is prohibited," as recited by independent claim 16, "one or 
more resolution authorities, which are configured to modify access requirements associated with the one or more 
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data classes, configured to authorize access to one or more portions of the electronic data in response to a 

comparison performed by a corresponding data access controller that indicates access is prohibited," as recited by 

independent claim 23, "submitting, by the controller, a request for authorization to a resolution authority, which is 

configured to modify the one or more access requirements, in response to a comparison that indicates that access by 

the access candidate is prohibited," as recited by independent claim 24, "submitting, by the controller, a request for 

authorization to a resolution authority, which is configured to modify the one or more access requirements, in 

response to a comparison that indicates that access by the access candidate is prohibited and performing the 

following steps," as recited by independent claim 29, and "submitting a request for authorization to a resolution 

authority, which is configured to modify one or more access requirements associated with the second security level, 

in response to a comparison of one or more attributes of the access candidate with the one or more access 

requirements associated with the second security level that indicates that access to the second security level by the 

access candidate is prohibited and determining, by the resolution authority, whether to authorize the access 

candidate access to the second security level," as recited by independent claim 30. 

The Examiner's rejection of claims 1, 7, 15, 16, 23, 24, 29, and 30 under 35 U.S.C. § 1 12, first paragraph, 

for allegedly failing to comply with the written description requirement is improper and should be reversed. The 

Examiner, on pages 4 and 5 of the Office Action, states: 

There is no disclosure for: the resolution authority, which is configured to modify the one 
or more access requirements". There is no disclosure for a resolution authority to modify 
access requirements in the specification or the original claims. 

Applicants respectfully disagree. As an example, paragraph [0033] of the originally filed Specification 
states: "[SJhould the comparison performed by the DAC security level 106 indicate that access to one or more data 
classes of the secured data is prohibited without authorization, the DAC security level 106 may submit a resolution 
request 122 to a resolution authority 124. The resolution authority 124 ... authorized to provide authorization for 
access .... The authorization may be determined by . . . modifying the access requirements . . . ." 

Thus, Applicant has met the written description requirement. 

Regarding the rejections of claims 1-40, "to establish prima facie obviousness of a claimed invention, all 
the claim limitations must be taught or suggested by the prior art," M.P.E.P. § 2143.03, citing In re Royka, 490 F.2d 
981, 180 U.S.P.Q. 580 (CCPA 1974). 

The Examiner's rejection claims 1-4, 7-10, 14, 16-19, 24-26, 29-33, and 37-40 under 35 U.S.C. § 103(a) as 
allegedly being unpatentable over U.S. Patent No. 6,041,412 to Timson et al. ("Timson") in view of U.S. Patent No. 
6,959,336 to Moreh et al. ("Moreh") is in error and should be reversed. 

Claims 1, 16, 24, and 29 recite features not taught by the combination of Timson and Moreh. For example, 
claim 1 recites, among other features, "submitting, by the controller, a request for authorization to a resolution 
authority, which is configured to modify the one or more access requirements, in response to a comparison that 
indicates that access by the access candidate is prohibited." Claim 16 recites, among other features, "means for 
submitting a request for authorization to a resolution authority, which is configured to modify the one or more 
access requirements, if the second comparison indicates that access to the electronic data by the access candidate is 
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prohibited." Claim 24 recites, among other features, "submitting, by the controller, a request for authorization to a 
resolution authority, which is configured to modify the one or more access requirements, in response to a 
comparison that indicates that access by the access candidate is prohibited." Claim 29 recites, among other features, 
"submitting, by the controller, a request for authorization to a resolution authority, which is configured to modify 
the one or more access requirements, in response to a comparison that indicates that access by the access candidate 
is prohibited and performing the following steps." 

First, as discussed in the responses filed July 2, 2008, and December 22, 2008, Applicants maintain that 
Timson and Moreh cannot be combined. Timson discloses an apparatus and a method for providing access to 
secured data or area that includes at least two secure data modules, an interrogatable module (IM) and an enable 
module (EM). In the case that EM does not have appropriate permissions, no data communication is allowed and 
also if the EM does not provide the necessary permissions, the IM prevents the EM to access the requested data 
(Timson col. 3, line 1 1 to col. 4, line 15, and also col. 13, line 22 to col. 14, line 40). 

The Examiner, on page 4 of the Office Action, states: 

The Timson prior art discloses the capability to add additional authentication modules to 
the authentication procedures. These additional authentication modules can generate a 
hierarchical structure for the authentication process with access to the resolution authority 
performed as a last authentication process as per claim limitation, (see Timson col 4, line 
60 - col. 5, line 4: hierarchical authorization structure) 

Applicants respectfully disagree. Timson discloses that a set of data operations may be stored on a 
controllable module. The controller module can be configured as other types of modules, such as EM or IM, by 
writing permissions data to the modules. In this manner, hierarchical sets of permissions for data operations can be 
written to the modules (Timson col. 4, line 60 to col. 5, line 4). Although Timson teaches that other types of 
modules can be used (that might have hierarchical permissions), the hierarchical data system is nevertheless 
implemented in the form of dual secure data module scheme (Timson col. 1 1, line 65 to col. 12, line 4). There is 
no teaching or suggestion in Timson that the authentication process (or access determination) can use additional 
authorization modules as the Examiner states in the Office Action. The authentication process of Timson only 
involves one EM and one IM that communicate with each other to provide access to secured data and no additional 
security level could be added to this authentication process and if either of EM or IM does not have the necessary 
permissions, access to the secured data is denied. There is no way, in Timson arrangement to add an additional 
authorization module, such as taught by Moreh. Therefore, Applicants maintain that Timson and Moreh cannot be 
combined to establish a prima facie case of obviousness. Timson merely teaches a dual secure data module scheme, 
contrary to the Examiner's suggestion. There is no teaching or suggestion in Timson that additional layers of 
authentication services can be added to this dual scheme. 

Second, assuming arguendo that one could combine modules taught by these references in the manner 
suggested, with which Applicants do not acquiesce, the combination does not teach, suggest, or disclose at least 
"submitting, by the controller, a request for authorization to a resolution authority, which is configured to modify 
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the one or more access requirements , in response to a comparison that indicates that access by the access candidate 
is prohibited ," as recited in claim 1 and similarly worded claims 16, 24, and 29. 

The Examiner, on page 6 of the Office Action, states that Timson does not disclose a resolution authority. 
However, the Examiner relies upon Moreh (Moreh col. 2, lines 48-62; col. 5, line 56 to col. 6, line 19) to allegedly 
show a resolution authority. 

In the Moreh method, a subject, who must authenticate itself, uses a client to initiate a process of obtaining 
access to a server application. The client communicates an authentication request for access to the server 
application to a protocol proxy . The protocol proxy translates the authentication request into a native protocol of an 
authentication mechanism and communicates the translated request to the authentication mechanism. Upon 
successful authentication, the protocol proxy receives a response from the authentication mechanism including 
attributes and access rights of the subject. Then the protocol proxy creates a name assertion, translates this into an 
authentication response, and transmits it back to the client. The client delivers the authentication response to the 
server application. 

Therefore, the protocol proxy of Moreh is only used between the client and the authentication mechanism to 
receive from the authentication mechanism a response including attributes and access rights of the subject and 
creates an authentication name assertion allowing the client to access the server application (Moreh col. 6, lines 7- 
19 and col. 2, lines 57-62). This is not the same as submitting, by the controller, a request for authorization to a 
resolution authority, which is configured to modify the one or more access requirements, in response to a 
comparison that indicates that access by the access candidate is prohibited, as recited in claim 1 and similarly 
worded claims 16, 24, and 29. In contrast to the protocol proxy of Moreh that merely receives attributes and access 
rights of the subject, claim 1 recites that resolution authority , which is configured to modify the one or more access 
requirements . 

Further, Moreh teaches that upon successful authentication , the protocol proxy receives back from the 
authentication mechanism a response including attributes and access rights of the subject (Moreh col. 6, lines 7-19 
and col. 2, lines 57-62). In contrast, claim 1 recites submitting, by the controller, a request for authorization to a 
resolution authority, which is configured to modify the one or more access requirements, in response to a 
comparison that indicates that access by the access candidate is prohibited. 

Therefore, at least for the above reasons, the combination of Timson and Moreh fails to disclose all features 
of independent claim 1 . Independent claims 1 6, 24, and 29 are patentable for similar reasons. 

Claims 2-4, 18-19, 25, 26, and 38-40 depend from claims 1,16, and 24. Thus, at least based on their 
dependency to claims 1, 16, and 24, and further in view of their own features, dependent claims 2-4, 18-19, 25, 26, 
and 38-40 are patentable over the applied references. 

The Examiner rejected independent claims 7 and 30 as being anticipated by the combination of Timson and 
Moreh. These independent claims contain similar language to that found in claims 1,16, 24, and 29, discussed 
above, and are patentable for the same reasons discussed above. Dependent claims 8-10, 14, 31-33, and 37 
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necessarily include all features of claims 7 and 30. The combination of Timson and Moreh fails to disclose all 
features of claims 7 and 30, therefore claims 8-10, 14, 31-33, and 37 are patentable over the applied references. 

The Examiner has rejected claims 5, 6, 11-13, 15, 20-23, 27, 28, and 34-36 under 35 U.S.C. § 103(a) as 
allegedly being unpatentable over Timson in view of Moreh and further in view of U.S. Patent Publication No. 
2004/0049687 to Orsini et al. ("Orsini"). Applicants respectfully traverse this rejection. 

Independent claims 15 and 23 contain similar language to that found in claims 1,7, 16, 24, and 29 and are 
patentable over the combination of Timson and Moreh for the same reasons discussed above. Further, Orsini fails 
to cure the deficiencies of the combination of Timson and Moreh as noted above. Orsini does not teach what is 
missing from the combination of Timson and Moreh, for example the resolution authority, which is configured to 
modify access requirements (as is disclosed in claims 15 and 23). Therefore, claims 15 and 23 are patentable over 
Timson, Moreh, and Orsini taken alone, or in combination, for at least the reasons provided above. 

Dependent claims 5, 6, 1 1-13, 20-22, 27, 28, and 34-36 necessarily include all features of their respective 
independent and any intervening claims including claims 1,7, 16, 24, and 30. As discussed above, the combination 
of Timson and Moreh fails to disclose all features of claims 1,7, 16, 24, and 30, and further, Orsini fails to cure the 
deficiencies of the combination of Timson and Moreh as noted above. Therefore, claims 5, 6, 1 1-13, 20-22, 27, 28, 
and 34-36 are patentable over Timson, Moreh, and Orsini taken alone, or in combination, for at least the reasons 
provided above. 

The Examiner has thus failed to establish a prima facie case of obviousness for at least the reason that 
Timson, Moreh, and Orsini, alone or in any rational combination, fail to teach or suggest, at least, the above-noted 
distinguishing features of claims 1-40. Thus, Applicants assert that the Examiner's reliance upon the combination of 
Timson and Moreh in supporting an obviousness rejection of claims 1-4, 7-10, 14, 16-19, 24-26, 29-33, and 37-40 
and the combination of Timson, Moreh, and Orsini in supporting an obviousness rejection of claims 5, 6, 1 1-13, 15, 
20-23, 27, 28, and 34-36 is factually and legally unfounded. 

The U.S. Patent and Trademark Office is hereby authorized to charge any fee deficiency, or credit any 
overpayment, to our Deposit Account No. 19-0036. 



Respectfully submitted, 



Sterne, Kessler, Goldstein & Fox p.l.l.c. 



Glenn J. Perry J 
Attorney for Applicants 
Registration No. 28,458 
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